netfilter: nf_tables: bail out on mismatching dynset and set expressions

If dynset expressions provided by userspace is larger than the declared set expressions, then bail out. Fixes: 48b0ae0 ("netfilter: nftables: netlink support for several set element expressions") Reported-by: Xingyuan Mo <hdthky0@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
torvalds · Dec 6, 2023 · 3701cd3 · 3701cd3
1 parent 63331e3
commit 3701cd3
Showing 1 changed file with 9 additions and 4 deletions.
diff --git a/net/netfilter/nft_dynset.c b/net/netfilter/nft_dynset.c
@@ -280,10 +280,15 @@ static int nft_dynset_init(const struct nft_ctx *ctx,
 			priv->expr_array[i] = dynset_expr;
 			priv->num_exprs++;
 
-			if (set->num_exprs &&
-			    dynset_expr->ops != set->exprs[i]->ops) {
-				err = -EOPNOTSUPP;
-				goto err_expr_free;
+			if (set->num_exprs) {
+				if (i >= set->num_exprs) {
+					err = -EINVAL;
+					goto err_expr_free;
+				}
+				if (dynset_expr->ops != set->exprs[i]->ops) {
+					err = -EOPNOTSUPP;
+					goto err_expr_free;
+				}
 			}
 			i++;
 		}